The CWR or ECE flags were set and the stateful configuration specified that these packets should be denied.

This warning appears when you enable the option in Enable Stateful Inspection > TCP > Deny TCP packets containing CWR, ECE flags. If the customer wants to remove the error, disable this option.

Dropped Retransmit

This status means the network engine detected a TCP transmission which content is different from what it sends initially. There are different types of the log in the note field: prev-full, prev-part, next-full and next-part. These are set based on the location of the changed content in the TCP stream.The network engine checks it by comparing the packet data we queued in engine’s connection buffer to the one re-transmitted. If the changed area is located in the closest queued packet, it will be “prev-full” or “prev-part”. We set it as “prev-full” if this queued packet contains all the corresponding data in the re-transmitted packet. Otherwise, it is “prev-part”.

Sometimes, the change occurs not in the closest packets but following ones. We set it as “next-full” if the the-transmitted packet contains all of the corresponding data in this queued packet. Otherwise, it is “next-part”

This alert can be avoided by creating firewall bypass rules.

First Fragment Too Small

A fragmented packet was encountered and the size of the fragment is less than the size of a TCP packet (no data).

“First fragment too small” is a packet which is dropped when it has the following configuration:

MF flag = 1

Offset value = 0

Total length (maximum combined header length) = less than 120 bytes.

Update the Minimum Fragment size in Network engine to a lower value or “0” to turn off this inspection.

Fragment Offset Too Small

The offset(s) specified in a fragmented packet sequence is/are less than the size of a valid datagram.

Update the Minimum Fragment offset in Network engine to a lower value or “0” to turn off this inspection.

Fragment Out Of Bounds

The offset(s) specified in a fragmented packet sequence is/are outside the range of the maximum size of a datagram.

Flag(s) set in packet is/are invalid. This could be due to a flag that does not make sense within the context of a current connection (if any), or due to a nonsensical combination of flags. (Stateful Configuration must be set to “ON” for connection context to be assessed.)

This alert can be raised with multiple reasons, check case by case.

Invalid IP

The source IP of the packet is not valid.

To allow such packets, customer can change Allow Null IP in Network Engine setting to Yes.

Invalid IP Datagram Length

The length of the IP datagram is less than the length specified in the IP header.

N/A

Invalid Port Command

An invalid FTP port command was encountered in the FTP control channel data stream.

Capture the traffic for detailed analysis.

Invalid Sequence

A packet with an invalid sequence number or out-of-window data size was encountered.

Capture the traffic for detailed analysis.

Invalid IP Header Length

An invalid IP header length (< 5*4 = 20) is set in the IP header.

N/A

IP Version Unknown

An IP packet other than IPv4 or IPv6 was encountered.

Capture the traffic for detailed analysis or ignore this alert.

IPv6 Packet

An IPv6 Packet was encountered, and IPv6 blocking is enabled.

Change “Block IPv6 on Agents and Appliances verions 9 and later” toNo to allow IPv6. For older version, IPv6 is not supported, but customer still can change to allow.

Max Incoming Connections

The number of incoming connections exceeded the maximum number of connections allowed.

The number of half open connections from a single computer exceeded that of the specified in the stateful configuration.

This event can be ignored if there is no impact to server’s service. Customer can increase the threshold.

In Firewall > Firewall Stateful Configurations, click Edit,then in TCP tab, increase the half open connection number. But do not make it too large, otherwise the server will be vulnerable to DoS attack.